The data protection legislation in both Guernsey and Jersey prescribe offences of knowingly or recklessly obtaining or disclosing personal data (or the information contained within it) without the consent of the relevant controller. These mirror the offences set out in the UK’s Data Protection Act 2018.

It should be emphasised that a person acting in this manner commits a criminal offence (subject to proving any available defence). This is not a case of civil liability and hoping to rely on professional indemnity insurance to cover the costs of the error. On conviction for this particular offence, perpetrators in Jersey face the imposition of a fine, and those in Guernsey risk a combination of a fine and/or prison sentence of up to two years. Furthermore, where that individual is working in the financial services industry, theft of personal data is likely to be viewed seriously by the GFSC and JFSC when it comes to assessing whether an individual should be regarded as fit and proper.

Nevertheless, it seems that the threat of criminal sanction has not proved to be a sufficient deterrent to certain disgruntled or overly curious employees. Two very recent UK cases (dealt with under the previous regime of the Data Protection Act 1998), resulted in the imposition of fines on employees who unlawfully accessed patient medical records and the personal data of customers of a car dealership.

In Guernsey, February 2019 saw the acquittal of a hospital employee facing prosecution for unlawfully accessing patient records without proper justification, and judicial criticism that the employer did not, apparently, have in place a suitably accessible data protection policy at the relevant time. Whilst the new data protection regimes in both the UK and Guernsey will no doubt have led to changes and improvements in the approaches of the businesses or departments concerned, the actions of employees (whether “rogue” or inadvertent) remain one of the main sources of concern for boards.

Unfortunately for businesses, the ramifications of deliberate breaches by employees do not stop at the point of individual criminal sanction for the perpetrator.

A stark warning lies in the well-publicised case involving the deliberate circulation of employees’ payroll data by a disgruntled internal auditor of the Morrisons supermarket chain. The Court of Appeal in the UK upheld the High Court’s finding that, notwithstanding that the perpetrator’s actions were deliberate and intended to cause harm to Morrisons, the employer was vicariously liable for those actions (and the compensation sought by the employees).

It will be of concern to businesses that the deliberate act of a disgruntled employee can result in the employer shouldering loss claimed by the ultimate victims of the data breach. On policy grounds, it is understandable that the rights of the data subjects are best protected by way of civil redress against a financially stable (and usually insured) business. Whilst the sight of individual perpetrators being prosecuted may bring short term satisfaction for those impacted, there is often no effective redress or compensation available.

All is not lost – businesses can minimise their risk, in the following ways:

1. Regular staff training on data protection policy, including updates and refresher training, ensuring that staff understand and acknowledge their individual obligations and those of the business. Culture is key.

2. Pessimistic security measures limiting access to personal data to staff that require it for a specific and legitimate purpose.

3. Monitoring staff access to personal data held by the business so as to detect any unusual patterns of access or extraction.

4. Regular reviews of personal data inventories held by the business so as to ensure compliance with restrictions on time limits for its retention.

If properly implemented and maintained, the above measures will assist a business to reduce the risk of accidental or deliberate conduct by staff that could result in civil or criminal liabilities. Building a culture of security and trust within an organisation and with customers is vital to maintaining success in today’s digital economy.

Share
Twitter LinkedIn Email Save as PDF
More Publications
30 Jul 2021 |

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
20 May 2021 |

The Gender Pay Gap Debate – a response to comments on social media

As a lawyer the majority of articles we write are about a particular case or a legal issue – which...

4 May 2021 |

New Private Investment Funds in Guernsey

In December 2020, the Guernsey Financial Services Commission (Commission) published a consultation p...

Contributors: Oratile Jonas
16 Mar 2021 |

Guernsey Structures - The Cannabis Investment Conundrum

Jurisdictions around the world have adopted different positions in relation to the legality of the c...

12 Mar 2021 |

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...

8 Mar 2021 |

Appleby Celebrates International Women’s Day

International Women’s Day is celebrated annually in support of gender equality and equal participa...

23 Feb 2021 |

Fit and Proper in the Channel Islands – A Regulatory Enforcement Update

It is sometimes easy to forget with all that has happened over the last 12 months that there was a w...

27 Jan 2021 |

Levies, registration and all that jazz

Regulatory markets evolve at various speeds and the data protection regime is one example of a marke...

6 Jan 2021 |

Executors navigating the “perfect (company) storm”

Corporate governance has become one of the most hotly debated topics in recent years. Whether it be ...

Contributors: Paula Fry